FS#61647 - [openvpn] Cryptocard login - OpenVPN stuck on PIN propmpt

Attached to Project: Arch Linux
Opened by Pawel Szafer (pszafer) - Wednesday, 06 February 2019, 05:58 GMT
Last edited by Toolybird (Toolybird) - Wednesday, 27 September 2023, 06:36 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Hello I want to use cryptocard certificate to connect to openvpn server.
Unfortunately it is stuck on PIN prompt (before it asks for PIN).

Config of client
```
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote FQDN PORT udp
lport 0
verify-x509-name "FQDN" name
comp-lzo adaptive
verb 10
pkcs11-providers /usr/lib/pkcs11/libccpkip11.so
pkcs11-id 'PKCS_ID'
<ca>
CA
</ca>
<tls-auth>
TLS
</tls-auth>
key-direction 1
```

End of logs:
```
Tue Feb 5 16:50:55 2019 us=500146 PKCS#11: _pkcs11h_session_login entry session=0x55ca09094280, is_publicOnly=1, readonly=1, user_data=(nil), mask_prompt=00000003
Tue Feb 5 16:50:55 2019 us=500154 PKCS#11: _pkcs11h_session_logout entry session=0x55ca09094280
Tue Feb 5 16:50:55 2019 us=500162 PKCS#11: _pkcs11h_session_logout return
Tue Feb 5 16:50:55 2019 us=500171 PKCS#11: _pkcs11h_session_reset entry session=0x55ca09094280, user_data=(nil), mask_prompt=00000003, p_slot=0x7ffcba47d9f8
Tue Feb 5 16:50:55 2019 us=500179 PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='CryptoTech Ltd.' model='CC Carbon', serialNumber='1012000100274906', label='PKI Token 1'
Tue Feb 5 16:50:55 2019 us=500188 PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55ca0905e660, token_present=1, pSlotList=0x7ffcba47d8a8, pulCount=0x7ffcba47d8b0
Tue Feb 5 16:50:55 2019 us=500325 PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=0
Tue Feb 5 16:50:55 2019 us=500336 PKCS#11: Calling token_prompt hook for 'PKI Token 1'
```

And it is stuck there. According to that https://community.openvpn.net/openvpn/ticket/538 it is all cause of `--enable-systemd`.
There are some patches which can be included in build and then it is working again with `systemd`.
What's your opinion on it?


Additional info:

```
OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
library versions: OpenSSL 1.1.1a 20 Nov 2018, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
```
This task depends upon

Closed by  Toolybird (Toolybird)
Wednesday, 27 September 2023, 06:36 GMT
Reason for closing:  Upstream
Additional comments about closing:  This looks pretty old and stale. If still an issue, it really needs to be sorted out upstream so please contact them.
Comment by Pawel Szafer (pszafer) - Wednesday, 06 February 2019, 06:09 GMT
This might be similar bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772812
Comment by loqs (loqs) - Wednesday, 06 February 2019, 21:42 GMT
Have you tested applying the patches from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772812 does it then work for you?
Or do you also have to patch pkcs11-helper https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907452 and build it with threading disabled https://github.com/OpenSC/pkcs11-helper/issues/5#issuecomment-410471005 ?
Comment by Pawel Szafer (pszafer) - Thursday, 07 February 2019, 06:17 GMT
I applied this patch: https://community.openvpn.net/openvpn/attachment/ticket/538/0001-pkcs11-Workaround-to-make-PKCS-11-PIN-token-work-wit.patch and it is working then.
Should I check another patches as well?
Comment by loqs (loqs) - Thursday, 07 February 2019, 10:48 GMT
No if that works then at least for your system no more patches are needed.
Comment by Pawel Szafer (pszafer) - Friday, 08 February 2019, 08:08 GMT
Ok, will you include this patch in next build?
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...